Neural network based anomaly detection

Detecting anomalous traffic with low false alarm rates is of primary interest in IP networks management. To this aim it is essential to distinguish between the natural variability of traffic due to its bursty nature and attack-related anomalous events. In this paper we investigate the applicability of neural networks for traffic prediction, focusing on the multilayer feedforward architecture and comparing the performance of different back-propagation algorithms. Prediction is carried out for different random aggregates (obtained through reversible sketches, introduced to improve the scalability of the solution) of traffic flows and, after comparing the prediction error with a threshold, a voting procedure is used to decide about the nature of the current data (with the additional possibility of identifying anomalous flows thanks to the features of reversible sketches). The performance analysis, presented in this paper, demonstrates the effectiveness of the proposed method (in terms of low false alarm rates and convergence speed) for an adequate choice of the learning algorithm.